Owing to email, data logs, text messages and the like, the quantity of official business records ascends skyward, while the granularity of those records grows ever more fine. Detailed within these innumerable records are the secrets of the organization.

Stored this way, secrets are dangerous.

Keeping secrets –- or just withholding information -- is becoming harder and harder. Secrets and records can leak out by way of FOIA, spies, gossip, hackers, mistakes, e-discovery, whistleblowers, external surveillance, or just the natural course of events (sousveillance). In finance, a "trusted" banker will leak to a friend secrets about exotic instruments like credit default swaps, which are so new that the law has yet to establish "insider trading" rules applicable to them. Kara Scannell, "Trader's 'Nice Little Kiss' Tests Reach of Regulations," Wall Street Journal, March 31, 2010.

A leak is dangerous.

The leak is an invitation for an adversary to allege malfeasance. When a secret leaks, the adversary's storyline becomes (a) the organization possessed information that the public needed, (b) the organization wrongfully withheld the information and (c) the public now knows the information only because a righteous force external to the organization brought it to light.

For a smart organization, the best posture is to preempt the leaking. Before the leak happens, it should embrace transparency and publish (most all of) its records and activities onto the public Internet. It should expose its information to independent review and debate. Authors Tapscott and Ticoll admiringly call such an organization the naked corporation.

False Statement?

Take for example the story of the small, grassroots political action committee named “Take Back Your City,” which is promoting a vote by citizens against red light cameras in the municipality of College Station, Texas. Through freedom of information act, the PAC obtained extensive email records regarding the city government’s use of the cameras. In this trove of information, the PAC found what it believes is smoking gun evidence that the city is engaged in false, illegal political advertising about the effectiveness of the cameras. The city claims – in a flyer to be inserted in monthly utility bills -- that the cameras have reduced traffic accidents, but the PAC says an internal city email contradicts that claim. The PAC attached the email as evidence to a formal complaint it filed with the Texas Ethics Commission.

Whether this complaint will result in ethics sanctions against the city (or more particularly the city manager cited in the complaint), I don’t know. But the city’s defense would be easier had it been more open and transparent with its records. When it gave the email records to the PAC, it could have also posted them all on its web page as well. (Why not? The city had already gone to the trouble to compile them.) Then, when it prepared its flyer for the utility bills, it could have made its point about accident reductions while also saying, “Each citizen can draw his or her own conclusions. The city has posted on its web page exhaustive records regarding traffic cameras.”

Such openness takes the punch out of allegations that the city lied. Effectively, it enables the city to say, “We drew a conclusion from the data and told citizens our conclusion, but our statements to citizens were more than just that. We also made all the data available to the citizens and told them they could read it themselves and draw their own conclusions. We've opened the data to third party review.”

Investigating Leaks

Another lesson in transparency derives from the contrast in styles between the board of directors at Hewlett-Packard Company and the town council at Watertown, Massachusetts.

When HP saw that someone on its board was leaking company secrets, it assumed cloak-and-dagger mode. It didn’t talk about the problem. It secretly hired private investigators to spy on members of its board as well as reporters in the media. The private eyes violated the privacy of the directors by hijacking their telephone calling records. AT&T discovered the hijacking and reported it to its customer, Tom Perkins, one of the directors targeted by the spying. The result was an embarrassing, debilitating scandal, with lawsuits, criminal complaints, an SEC investigation, a congressional investigation, and the end of career for two of the company’s top lawyers.

HP followed the old-fashioned, closed approach to resolving a crisis. But in this Internet age -- where clandestine activities are hard to keep clandestine -- that approach led to disaster.

Compare the youtube video below. It shows the town council dealing with the same problem as the HP board – insider leaks. The leaks pertained to closed-door deliberations about contracts. But rather than spying on its members in the dark of night, the Watertown council brought the issue into the open. It discussed the topic in public, video-broadcast session!

Notice that Watertown’s transparency immediately deters future leaks. The leaker has to be thinking, “My leaks are attracting negative attention. Now all the citizens are on alert, and some knowledgeable witness watching out there may come forward with embarrassing information that reveals me as the leaker. I’d best stop leaking.”

By being transparent, the council uses the Internet as its enforcer, and it avoids the risk of a HP-style scandal. Legal compliance meets modern public communications.

–Benjamin Wright

At the SANS Institute, Mr. Wright stresses that, in the wake of a data security incident, the delivery of a effective public message is as important as the technical and legal response.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.